{
  "id": "security/credential-stuffing-via-rate-limit-bypass",
  "signature": "Credential stuffing attack succeeds because rate limiting is bypassed by rotating IP addresses",
  "signature_zh": "由于通过轮换 IP 地址绕过了速率限制，凭证填充攻击成功",
  "regex": "rate limit exceeded|too many login attempts from IP|credential stuffing detected",
  "domain": "security",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "Rate limiting based solely on IP address is ineffective against credential stuffing attacks that use a distributed botnet with many unique IPs, allowing unlimited login attempts.",
  "root_cause_type": "generic",
  "root_cause_zh": "仅基于 IP 地址的速率限制对于使用具有许多唯一 IP 的分布式僵尸网络的凭证填充攻击无效，允许无限制的登录尝试。",
  "versions": [
    {
      "version": "Nginx 1.24",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Cloudflare WAF",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS WAF",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Increase the rate limit threshold to allow more requests per IP",
      "why_fails": "This makes the attack easier because attackers can send more requests per IP, and the distributed nature still bypasses IP-based limits.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "Block IPs after a few failed attempts with a permanent ban",
      "why_fails": "Attackers rotate IPs; permanent bans on individual IPs don't stop the attack and may block legitimate users behind shared IPs (e.g., VPNs).",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx:\nlimit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;\nlimit_req_zone $http_user_agent zone=ua:10m rate=10r/m;\nserver {\n    location /login {\n        limit_req zone=login burst=10 nodelay;\n        limit_req zone=ua burst=20 nodelay;\n    }\n}",
      "success_rate": 0.8,
      "how": "Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx:\nlimit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;\nlimit_req_zone $http_user_agent zone=ua:10m rate=10r/m;\nserver {\n    location /login {\n        limit_req zone=login burst=10 nodelay;\n        limit_req zone=ua burst=20 nodelay;\n    }\n}",
      "condition": "",
      "sources": []
    },
    {
      "action": "Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.",
      "success_rate": 0.9,
      "how": "Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.",
      "success_rate": 0.85,
      "how": "Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Implement multi-factor rate limiting: combine IP, user-agent, and device fingerprint. Use a sliding window with exponential backoff. Example in Nginx:\nlimit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;\nlimit_req_zone $http_user_agent zone=ua:10m rate=10r/m;\nserver {\n    location /login {\n        limit_req zone=login burst=10 nodelay;\n        limit_req zone=ua burst=20 nodelay;\n    }\n}",
    "Deploy CAPTCHA (e.g., reCAPTCHA v3) after a few failed attempts from the same account or device fingerprint, not just IP.",
    "Use account lockout (temporary, e.g., 1 minute) after 5 failed attempts per username, regardless of IP."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks",
  "official_doc_section": null,
  "error_code": "AUTH_RATE_003",
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.75,
  "resolvable": "partial",
  "first_seen": "2023-06-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}